Risk Chat: What Should You Do about Mobility Risk?

In my last post, I described the challenge more and more CIOs face as they seek to provide greater control and security around employee-owned mobile devices (like smart phones, tablets and net books). In this post, I talk to Sajal "Saj" Sahay, vice president of Mobilisafe, to find out what CIOs, CFOs and risk managers ought to understand about mobile risk.

Eric Krell: What are the top three mobile-risk questions that CFOs, CIOs and risk managers should address right now?

Saj Sahay: There are many, but I would say the following three are the most important, given data we uncovered in a recent product beta trial.

1. Do you know how many and which kinds of mobile devices your employees actually use to access company data?

We found that most organizations are already highly mobilized, with more than 80 percent of the employees already using smartphones and tablets. In fact, a new device model is being introduced to a company for every 6.6 employees, a number that was significantly underestimated by the IT staff involved in the study.

2. Do you know the percentage of mobile devices at your company that are using out-of-date firmware, exposing them to security vulnerabilities?

Most IT departments lack the proper solutions to map their corporate standard for information security used with laptops, desktops and servers to mobile devices. This is especially true of out-of-date firmware, given the complex ecosystem of carriers, OEMs and OS owners inherent with mobile devices. For example, we found that 56 percent of iOS devices in the study were running out-of-date firmware.

3. Do you know the percentage of authenticated mobile devices that were inactive for more than 30 days, meaning they're either misplaced, stolen or resold with company data potentially still on them?

Our study showed that 39 percent of authenticated devices were inactive for more than 30 days, prompting concerns and conversations with employees about lost, sold or otherwise misplaced devices with employee credentials and sensitive corporate data.

Krell: What are some of the things that can, and do, go wrong when these questions are left unanswered or are not addressed in a risk-intelligent manner?

Sahay: This lack of visibility to mobile devices and their usage can have significant consequences, exposing companies to serious security risk. Let's use refurbished devices as an example. Every day, the number of refurbished devices increases as users trade-in older models for the latest innovation. If these devices still maintain information such as employee passwords, this creates an opportunity for a stranger to gain access to your confidential data and company IP. Some of the potential effects include: a) regulatory and compliance issues; b) brand reputation damage; and c) complications with client/customer legal requirements to protect their data.

There is precedence for this. Motorola recently announced that refurbished Xoom tablets were accidentally sold with data such as passwords still on the device. Incredibly, half of the mobile devices sold on eBay still contain personal information on them.

Krell: In an earlier discussion, you mentioned BYOD. It's a term that I'm guessing every CIO knows very well these days. At a high level, what do CFOs, risk managers and internal auditors need to know about the growth of BYOD and its attendant risks?

Sahay: BYOD, or "bring your own device," caught on as iOS and Android devices started to become more sought-after than Blackberry devices. Today, more than half of all companies allow employees to use their own smartphones and tablets at work. It's amazing how quickly BYOD has become mainstream. While employee happiness and productivity gains have bolstered this trend, a by-product is the growth in data-security risk. These risks are magnified by the sheer diversity of device models employees bring to work.

In a recent study, 71 percent of the businesses surveyed said that mobile devices have caused an increase in security incidents, citing significant concerns about the loss and privacy of sensitive information stored on employee devices, including corporate e-mail (79 percent), customer data (47 percent) and network login credentials (38 percent). Discovering, understanding and managing these risks should be a top concern of CFOs and CIOs alike.